Libvirt Security Notice: LSN-2013-0013
        ======================================

       Summary: Crash of libvirtd when ACLs are active and events
                registered
   Reported on: 20131002
  Published on: 20130927
      Fixed on: 20130927
   Reported by: Zhenfang Wang <zhwang@redhat.com>
    Patched by: Daniel Berrange <berrange@redhat.com>
      See also: CVE-2013-4399

Description
-----------

When a connection to libvirtd is closed any event handlers
registered must be removed. When ACLs were active no identity was
set when removing the event handlers, so the operation was denied.
Thus event handlers remained connected to a client that had been
freed.

Impact
------

An unprivileged user can cause a crash of the libvirtd daemon when
ACLs are active by registering one or more event handlers. This
leads to a denial of service.

Workaround
----------

Remove access from unprivileged local users or block access to the
event APIs using ACLs

Affected product
----------------

        Name: libvirt
  Repository: https://gitlab.com/libvirt/libvirt

      Branch: master
   Broken in: v1.1.0
   Broken in: v1.1.1
   Broken in: v1.1.2
    Fixed in: v1.1.3
   Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
    Fixed by: 8294aa0c1750dcb49d6345cd9bd97bf421580d8b

      Branch: v1.1.0-maint
   Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
    Fixed by: 03288d0de6894e18c9be187e2ace0cc50f15ceaa

      Branch: v1.1.1-maint
   Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
    Fixed by: 966025b1c6a6c0043c4d1c5f0c9ba218e3fe113b

      Branch: v1.1.2-maint
   Broken by: ed3bac713c3cfc055ef551cbfe92a061084382c3
    Fixed by: 841284a04895f3fc4c5ae9073e33a6130776efa7